A security principal represents a user, group, or service principal that can be used to assign permission on various Azure Resources.
Users (User Principal): These are basically our normal users with UPN and password. We create a user object in Azure AD, and use it to authenticate to access various services e.g. M365 etc.…
Groups: These are another type of object in Azure AD mainly known as security group in Azure AD, and they can be used to specify permissions to SharePoint sites etc.…
Enterprise Apps (Service Principal): Ok so these are the interesting one, here we give permissions based on Application ID. You might have seen Enterprise application in your Azure AD. When these application are accessing some resource in your tenant. That means they are leveraging Service principals.
Managed Identities: These are the latest introduction onto the identity model. In fact, we can say they are actually Service Principals. They are always linked to an Azure Resource.
Managed Identities are further of Two Types:
System assigned: in this scenario, the identity is linked to a single Azure Resource, eg a Virtual Machine, a Logic App, a Storage Account, Web App, Function,… so almost anything. Next, they also “live” with the Azure Resource, which means they get deleted when the Azure Resource gets deleted. –
User Assigned Managed Identity: These are meant to create as a stand-alone Azure resource by itself, after which it can be linked to multiple Azure Resources.